What on earth has happened to viable HIPS software availability?

Discussion in 'other anti-malware software' started by Smiggy, Mar 10, 2017.

  1. Smiggy

    Smiggy Registered Member

    Joined:
    May 2, 2007
    Posts:
    237
    Location:
    The Angel Isle
    Where have they all gone?
    The likes of Online Armor, GESwall (I know its a BB, but concept same), EQSecure (loved it)?
    Used to love not needing an AV, more so today with all the added 'bloated chocolate fireguard' aspects!

    Is Comodo really the only viable option out there for free now?
     
  2. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Yes, I think only Comodo still offers a good HIPS, even if bundled on a security suite.

    McAfee developed Raptor/Real Protect, a BB, and now it has been implemented in their protection softwares, including the free McAfee Cloud AV, as you can see in this document (page 3):

    www.mcafee.com/hk/resources/reports/rp-quarterly-threats-mar-2016.pdf

    https://home.mcafee.com/Secure/CloudAV/HowItWorks.html
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Gone for lack of sales. Mass public has never figured out HIPS, so they don't buy it.
     
  4. guest

    guest Guest

    Mostly, you also have Spyshelter. Many HIPS disappeared or are abandoned (like OA) because it is mostly a geek tool and the vendor can't get enough incomes from it while their support team is under constant fire (aka emsisoft ). HIPS are not an "everybody solution".
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,324
    Location:
    Slovenia
    Yes I also miss Malware Defender, but to be frank I don't know if I would be using it again. Probably just for testing purposes...
    After moving to x64 and introduction of PatchGuard old HIPS apps were never reprogrammed to be compatible - it would probably take a lot of time for developers and no $ in return.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,379
    Location:
    U.S.A.
    You forgot Outpost which is now also defunct.

    HIPS's still exist with most part of an integrated AV security solution. Eset, Kaspersky, Trustport, etc. all have HIPS components. HIPS's used in these solutions are designed to require minimal user interaction and configuration although they can be custom configured if the user wishes.

    Anti-exec's employ many of the features incorporated in the old stand-alone HIPS's and are what are popular today.
     
  7. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,784
    Location:
    Nebraska, USA
    The reason HIPS software has faded from the spotlight is the same reason we don't need separate anti-keyloggers, separate anti-this, anti-that, and anti-everything else software. Today's basic anti-malware solutions, along with keeping Windows current, and most importantly, common-sense (don't be "click-happy") user-discipline is all we need.

    HIPS software made a splash when virtually all anti-malware suite-type solutions (AVG, AVIRA, AVAST, Comodo, Kaspersky, MSD/WD, Norton, McAfee, yadda-yadda) relied on, for the most part, signature and definition files to identify malware. But today, all the popular real-time anti-malware solutions include HIPS features that monitors for "malicious activity" or "suspicious behavior" too. That's what HIPS software did - it monitored the "behavior" of running code and if suspicious or malicious, the HIPS software would stop/block it.

    Since all of the popular modern real-time anti-malware solutions already includes effective "activity" and "behavior" monitoring, we don't need another program hogging resources unnecessarily that is doing the exact same thing.

    So separate HIPS software fell into obscurity because it was not needed.
     
  8. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,261
    Location:
    Québec, Canada
    Privacyware's DSA was nice.
    They recently discontinued the firewall as well.
     
  9. guest

    guest Guest

    i shifted from HIPS after OA was abandoned to SRP (Appguard) + isolation (sandboxie, ReHIPS) , far more effective than HIPS.
     
    Last edited by a moderator: Mar 10, 2017
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,379
    Location:
    U.S.A.
    Yes, one of the first AI behavior analysis products.
     
  11. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Appguard is great but is it a home user app? Maybe they have a large business user base, I don't now. Same with Voodoshield.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,379
    Location:
    U.S.A.
    Let's restrict the discussion to "classical" HIPS's which I believe is the topic. The model employed is default deny. Any process activity not previously observed for which there are no existing rules for it will generate an alert. The user must then decide to allow or deny the activity and also to create permanent rules for the activity.

    The primary factor that lead to the demise of the classical HIPS was the creation of the "Cloud." The Cloud enabled AV vendors to perform reputational analysis on processes based on prevalence/hash/signature. Processes are ranked from well known(safe) to unknown(unsafe.) Depending on the ranking additional analysis such as sandbox monitoring of execution will be performed. Finally a determination will be made to fully allow the process, monitor further process activity, or deny process execution with auto creation of corresponding execution rules. If an automatic determination could not be made, the user will be alerted with a recommended response for determination of process execution activity.

    The above reputational analysis activities greatly reduced false positives and most importantly user interaction in the determination of whether a process and its corresponding activities are "safe."
     
  13. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    HIPS:
    • People, who really understand them, don't get infected and don't need security software.
    • People, who get infected, don't understand HIPS and will either allow everything or brick their system.
    • This leaves only security forums users, who think they are Elliot Alderson type system expert professionals and have to deploy advanced protection software to satisfy their own narcissism. Their number however isn't large enough to finance the yearly salary of a single developer, let alone a company.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Point well taken Way back when Prevx 2.0 was an excellent HIPS, they found 50% of the users responded incorrectly to prompts. That didn't help the HIPS cause
     
  15. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,463
    Location:
    Land of the Light
    Spot on! :thumb: ;)
     
  16. guest

    guest Guest

    yes and no, BRN is a military/government/corporate contractor mostly (for the Endpoint version), home users (basic AG) represent a tiny fraction of their user-base.

    Totally agree and i will add a category "people liking to test security apps and looking for fun on their system" but again still a niche market. No way to make decent incomes. look at Defensewall , its dev liked better work for Avast than keep developing it.

    i don't know why some HIPS vendors (aka Comodo) think that Average Joe will master it ... they know only geeks will like and have time to learn those kind of softs.
     
  17. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    3,784
    Location:
    Nebraska, USA
    The problem here is most really have no clue how to setup a realistic test scenario, nor do they have access to a full arsenal of genuine threats.

    People need to ask themselves, "Was I getting infected all the time before installing this new security program?" "Did I stop getting infected just by installing this software?" If the answer is yes to either, then you probably need to look at your primary real-time security solution, and your safe computing discipline/habits.
     
  18. guest

    guest Guest

    Indeed

    Exact, and if the answer is No , either you are a tester or a paranoid :D
     
  19. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,963
    Location:
    Poland - Cracow
    I propose to close each main topics and leave only one ... the new one - "decent anti-malware" and let people dig in the same mad...
    :blink:
     
  20. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,324
    Location:
    Slovenia
    I must admit that while using HIPS and antiexes I learned a lot about how Windows system and applications work, how they interact and what's happening in background when user performs some action. They were a great learning tools for me and I don't regret spending time to configure and use them.
     
  21. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,896
    HIPS was nice but it became futile - dropped here due pointless function(s)

    at least a decent security concept can work without hips.
    here too but i was to much administrating for nothing. allow this, deny that, wtf is it.
    can cause malfunction and more - windows has a lot of capabilities to do itself.

    would be interessting what people like to control with a hips, which special behavior should be blocked what common system settings wont allow or a firewall wont allow.
     
  22. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,955
    SSM still does the trick on my XP desktop, + WSA, VS [last version that was still suitable on XP].
     
  23. guest

    guest Guest

    yes same here ; using an HIPS (in my case OA then comodo) was a good learning tool. I wish OA would be resurrected, it was the best HIPS-based FW.

    Exactly, it was very useful back in time, but now...the point of the HIPS is to block any suspicious behavior legit or not. Now use any SRP or anti-exe soft like Appguard they do the job better with no prompts at all.

    yes i saw so many beginners wrecked their system by blocking crucial system processes.

    I chose OA because i needed a strong FW , the HIPS was secondary then i learned how to use it. At that time i was using lot of cracks and keygen (yes yes only for research purposes :isay:) , so it was nice to differentiate weaponized ones from clean ones by watching what they tried to do on the system.

    The thing is if you are a skilled user, you won't need an HIPS, in fact you may won't need any security softs, you just need to setup efficiently the native security of the OS and use Process Explorer and Autorun alike softs to monitor what is running on the system.
    Now, on top of that, you may (like me) toying with security apps (for various reason such as curiosity, for fun, as a beta tester or for research purpose) then it is understandable.
    But relying on a HIPS as primary security option became futile with the more modern, stronger and convenient tools we have now.
    HIPS are and will be the epitome of geek tools. Average Joe will never use it and Corporate System Admin won't have the time to deal with HIPS on hundreds of computers, they are way too busy for that and will use SRP applications, which are more efficient and convenient.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,101
    Location:
    The Netherlands
    Wrong, I thought I had already explained this. You can not say that AG does the job better, because HIPS is supposed to give you a second opinion about some app, in case your AV failed. Those alerts have actual value for people who know how to interpret them. Also, it's handy to block unwanted behavior from probably legit software, like registering services/drivers, auto-starting, making outbound connections and getting access to files.

    Yes it's not exactly a cash cow, and mostly meant for geeks, but this was never any different, so it's still a bit weird that 10 years ago there were that many solutions. The fact that now most AV's also offer this, and you can't hook the kernel in Windows anymore, which was a lot of fun for developers, are the biggest reasons I guess.
     
  25. guest

    guest Guest

    I understand where you are coming from, i came from there too, so i know for you it is a solid feature (as it was for me before) for the same exact reasons you mentioned.
    But now i don't let any chances to hazards, i have a doubt, i don't allow, that is it (one reason i always favor portable apps and set AG in Lockdown Mode with some customizations)

    It is the reason Fabian Wosar gave me about Online Armor's discontinuation. OA was the reason i became beta tester for Emsi.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.